Mozilla will fix add-on signing issue for older Firefox versions
Good news for Firefox users who run older versions of the web browser that are not supported anymore officially by Mozilla. Mozilla plans to release updates for these web browsers and also a standalone extension to address the add-on signing issue that caused browser add-ons to fail in all versions of the web browser.
Mozilla will release an automatic update that fixes the issue for the Firefox versions 52 through 60. Firefox users who run version 61 to 65 may install a browser extension instead to resolve the issue on their end.
Last Friday, Firefox users from around the world noticed that the Firefox browser would deactivate all installed browser add-ons. Firefox would display the notification "One or more installed add-ons cannot be verified and have been disabled" to users of the browser. All browser extensions were deactivated in the browser, and it was impossible to enable them again or download extensions from the Mozilla Add-ons website.
Mozilla has yet to publish details on how something like this could happened; from what we know, it was a certificate that expired. Since it expired, it could not be used anymore to verify add-on signatures.
Mozilla reacted and released a fix through the Firefox browser's Shield studies system at first. The organization pushed out Firefox 66.0.4 and 66.0.5 to the Stable channel, and updates for other Firefox channels as well to resolve the issue.
While that took care of supported Firefox installations, it ignored Firefox installations that were not on the most recent version of the browser.
Mozilla updated the blog post that it released on May 4, 2019 several times. Yesterday's update highlights that a fix will be released for older versions of the Firefox web browser that are not supported officially anymore.
For users who cannot update to the latest version of Firefox or Firefox ESR, we plan to distribute an update that automatically applies the fix to versions 52 through 60. This fix will also be available as a user-installable extension. For anyone still experiencing issues in versions 61 through 65, we plan to distribute a fix through a user-installable extension. These extensions will not require users to enable Studies, and we’ll provide an update when they are available. (May 8. 19:28 EDT)
It is unclear how the update for Firefox 52 to 60 will be released. Do users have to search for the update (and risk being updated to a new version of Firefox), or is there another way to push an update to Firefox installations. Mozilla revealed that it would not use the Shield service for that. The organization promised that information will be provided once the update is available.
Mozilla plans to release a browser extension for Firefox 61 to 65 that fixes the issue as well. A link will be provided when it becomes available.
Closing Words
The decision to release updates for older versions of Firefox should please users who are still on that older version, and it should put the (conspiracy) theory to rest that Mozilla broke the system deliberately to force users to update to the latest version of the browser.
Something like this should never have happened; it showed how fragile enforced systems can be and how big of an impact simple things can have. It will be interesting to see how Mozilla plans to make sure that something like this won't happen again in the future.
Still, it is a good move by Mozilla to release updates for earlier versions. Whether that is the cause for the one-week release delay for the coming Firefox 67 release is unclear at this point.
Thank you Mozilla. My addons for Firefox ESR 52.9.0 are working. And I’m able to installed the error extensions too.
> “Mozilla has yet to publish details on how something like this could happened”
See https://hacks.mozilla.org/2019/05/technical-details-on-the-recent-firefox-add-on-outage/ for Mozilla’s well written explanation.
Mozilla Corp imposed Firefox(48) add-on signing in 2015 with a certificate that would be expiring in May 2019. Mozilla Corp boasted that she has 15,000 add-ons/extensions on AMO, which depend on her certificate to function. It is improbable that Mozilla Corp forgot to renew the very important add-on/extension certificate, more like intentional, and straight from the horse’s mouth: …….
“This was due to an error on our end: we *let* one of the certificates used to sign add-ons expire which had the effect of disabling the vast majority of add-ons.”
let
verb
1.
not prevent or forbid; allow.
“my boss let me leave early”
synonyms: allow, permit, give permission to, give leave to, authorize, sanction, grant, grant the right to, warrant, license, empower, enable, entitle;
thanks Anonymous for the link to the fix, it worked. I even didnt had to desable-enable TabMixPlus or any add-on
Absolutely wonderful news; thank you to Mozilla. And thanks to ghacks.net for staying on this issue, especially for those of us who really enjoy and depend on a somewhat older version of Firefox.
The newly hired ex-journalists are not expedient at coding yet by the looks of it.
Just go to about:config and set:
‘xpinstall.signatures.required’ to false
That only works on some release channels: ESR, Dev, Nightly
To me, Mozilla-Firefox is less evil than Google-Chrome and M$-Edge.
Analogy: ……. Mozilla just make you sick with poison for a few days and then provide you with the anti-dote. Google and M$ will enslave you and make you suffer for the rest of your life.
Maybe you are right. Maybe. On the other hand who would you be willing to “trust” 100 % when it comes to online browsing ? I don’t “trust” any of the worldwide available browsers. I only give in to a browser that fits best to what I like and want and then, ……..with the help of some addons plus avoding Google as much as possible hope for the best.
I am not a Geek nor do I have the time or want to spend the time to try to find something totally trustworthy on the web. Do I believe I am totally safe and private on the web ? No, naah, njet, nein, ma no ! They still think I am a 14yr. old female with 7 children, divorced twice and driving a Ferrari, living of welfare in Monaco. I think, I can live with that.
Fool me once, shame on you.
Fool me twice, shame on me.
Fool with me again and again and … and again, Good bye Mozilla. We are done!
And where do you go, my friend ? No sarcasm, I am interested what alternatives you suggest.
” … and again, Good bye Mozilla. We are done!”
The Hindus of the desert take a vow to eat no more fish.
@pHROZEN gHOST
Why? Just keep taking the antidote like AnorKnee Merce said below lol
At this point it is foolish to continue to trust Mozilla. Their antics have proven that the benevolence of the 3.6 days had long expired.
The saying “out of the frying pan into the fire” quite aptly describe these updates. Who know what’s next? Remote spyware addons? Setting loss?
And who am I suppose to trust? Google? No, thanks.
Yes, Mozilla did a very serious mistake, but in this particular case I don’t see it as a breach of trust.
@Nebulus
Assuming you’re even modestly competent, being involved with your own security/privacy is not a bad idea especially it’s clear now that Mozilla’s abuses are quite unending.
As a ghacks user.js user, I’m not affected by this. I’d recommend trusting about:config and software conservatism over Mozilla/Google.
Informed updating (conservatism) goes a long way!
Says the guy who uses user.js which is especially tailored tor Firefox…
“Modestly competent” you say?
I myself, trust Mozilla more than I trust Google and Microsoft anyway. I cannot understand all the hatred towards Mozilla. Sure, the Quantum upgrade was frustrating, but you get use to it and you can still customize a lot more than you can in Google Chrome.
@loxia_01:
I don’t hate Mozilla, personally. I have too lengthy of a history with them for that.
“but you get use to it and you can still customize a lot more than you can in Google Chrome.”
Except that the post-Quantum Firefox doesn’t meet my needs at all, and Mozilla has made it clear that it never will. Being more customizable than Chrome means nothing to me — it’s a lot less customizable than pre-Quantum Firefox, in a way that actually matters to me.
@John Fenderson:
Ditto across the board.
> Remote spyware addons?
Already happened:
https://www.zdnet.com/article/firefox-tests-cliqz-engine-which-slurps-user-browsing-data/
here is the fix for FF 56 and older
https://www.reddit.com/r/firefox/comments/bkspmk/addons_fix_for_5602_older/
That is not the official fix.
It’s been a week already and no answer.
People using version 52.0.9, the last version for Vista/XP, must keep asking Mozilla.
Worked as it should; many thanks for doing this.
Good news, thanks Mozilla ! I’m still using v56.02 because of some add-ons